Square-Off: Are Corporate Cyber Defenses Adequate?

It's not just about the technology, stupid. That's the collective message of the four expert commentators in this CFO Square-Off opinion forum, which addresses the issue of how CFOs and their corporations should be addressing cybersecurity in the face of rapid advances on the hacking front. Instead, finance chiefs should be focusing on their companies' systemic risks rather than just software. However, many companies are failing to address cybersecurity adequately because they tend to underva ..

American corporations have a high degree of cybersecurity risk awareness, and yet many enterprises, especially in non-regulated sectors, fall short in their cybersecurity stance.  This is mainly because executives see security as an ROI-less investment mandated by regulation.

Even worse, executives suffer from two psychological biases: “We haven’t suffered a breach this year, so no need to invest more in security” and “We will be hacked anyway, so all this security stuff is voodoo and a waste of our money.”

Even so, no one can ignore the severity of cyber threats today. Ask anyone in corporate America and they’ll tell you that cyber risks are real. Heck, even Warren Buffett  warned recently that cyberattacks are ‘the number one problem with mankind.’  This is not surprising given all the recent high-profile security breaches, from the Democratic National Committee hack to the Chipotle breach.

But the way the cybersecurity industry has reacted to these threats has created deep mistrust among its customers. The fact that no solution provides one hundred percent security forces organizations to install and maintain between six and 50 different security products.

Focusing on alerts generation, these security systems create too much noise, most of which consists of false positives that eventually result in alert fatigue. Even when an actual breach has been detected, it can take a long time to remediate completely because these solutions do not present the full scope of the incident.

This reactive ”action and response” behavior cycle continually puts the “defending team” on its heels, reacting to, rather than understanding, what is really happening.  This is obviously very frustrating for executives who see the company bleeding cash for improved security but in effect achieving very little.

Some executives call for greater government involvement, noting that their organizations lack the resources to secure against sophisticated attacks.  Government initiatives to secure the private sector are almost always insufficient, because it’s impossible to gauge the security stance of each and every company and recommend (or order) the implementation of specific security means. To do so would require a nationwide cybersecurity federal auditing task force, and no one wants that.

The same goes for sector-wide information sharing. Companies are not incentivized to share information about threats and breaches, because they include legal liabilities (and potentially regulatory ones as well). But even if they were incentivized, the shared information would likely be very general and vague, requiring an extremely capable chief information security officer on the receiving end to digest it and implement required security changes.

The answer is not to impose more regulations, nor to enforce companies to share information, but to make sure they can get the basics right. It’s really more about proficient manpower, training, and guidance than more technology.

In this regard, the NIST Cyber Security Framework provides relevant guidance for most companies, and it’s up to them to implement it. But there’s a catch here: even the most comprehensive framework implemented to perfection does not equal one hundred percent security.

This is something enterprises must understand. They need to switch from an insurance-like mindset to a military mindset. When they are able to shift from a “let’s do as the guidelines say, so we won’t have to worry when a breach occurs” philosophy to a “let’s follow the expert advice and proactively prepare for a breach” mindset, then we’ll start to see fewer breaches, better handling of them, and improved communication with peers and the public alike.

Gilad Peleg is chief executive officer of SecBI, a threat detection company.

, , ,

4 responses to “Cybersecurity Demands a Military Mindset”

  1. I agree Cyber should be treated as warfare. As such, that takes flexibility, adaptation, and quick reaction to the enemy and their tactics. This is something the Federal Government can not do. The size of the organizations, requirements for certifications and contractor past performance, multiple layers of contractors, legally required open solicitation periods, and many other factors prevent them from deploying and utilizing defensive technologies as fast as the enemy can deploy them. One example is the NIST 800 guidelines – these are updated every 2 years. Part of that is required by Federal open comment periods, public access, etc. They are almost be definition a historical record of what was done in the past – not what should be done for the future.
    They have the money and expertise in Government to be bleeding edge – just not the laws and polices that allow them to take full advantage of that.
    I believe taking the basic military doctrine of security starts at the perimeter is a good basis to build on. We have created too many castles (the Cloud?) now to be able to detect and defend against.

  2. Nice article and I agree on the points made above. In particular, I think security products and services promise too much in their zeal to sell when in fact several solutions are required. Perhaps it would help if products and services were labelled with broad NIST CSF categorizations. At least then it would be more apparent where each solution best fits rather than being presented as a panacea for total security.

Leave a Reply

Your email address will not be published. Required fields are marked *